Building a python firestore client with firebase authentication

3 min readMay 3, 2020

;TDLR;
Scroll down for a quick complete code sample

So I was building a Python application that had to connect to a firestore database. But before we dive into that let’s clear up some of the verbs and technical terms I will use in this post.

Technical lingo

firebase authentication: The client side authentication layer for firebase [4]
firebase_admin: The serverside python library for everything firebase [5]
IAM: identity access management in specific google service accounts. [6]
gRPC: Googles opensource remote procedure call system that is used to establish communication to the firestore [7]
OAuth2: industry-standard protocol for authorization that we need to use to talk to the firestore gRPC[1]

Introduction

The task sounds rather trivial but the catch is that the system will be packaged as a desktop application. So that means it won’t be a server instance that has internal security for saving the IAM credentials.

The application will have to use firebase authentication as auth layer so we can use firestore security rules but it should not expose google IAM credentials.

But all the documentation is based on firebase_admin that assumes you want to use it on a server which was not right for my case.

What needed to be build

So the application should authenticate using firebase and propagate the authentication to the firestore layer.

User uses firebase auth
firestore gets accessed with the user token to use security rules

To help visualize what we need to build look at the diagram below

How to do it

I am going to break it down into some small bitesize chunks starting with the firebase authentication.

Rest API

A rest API call to the firebase auth endpoint with your API key as shown in the code below.

Authenticating using the firebase rest API

After a successful login the function returns a response object containing the oauth2 user and refresh token in the response. This token is our key to happiness.

Building the credential object

By using the Google cloud firestore client directly instead of the firebase, you can pass in a Credentials object. This credential object is actually an oauth2 authentication that we can build using our user and refresh token. As shown in the sample below

Creating a oauth2 credentials object from a firebase auth response

Connecting to the firestore

After you’ve authenticated the user and created the credentials object. It is time to connect to your firestore by using the created credentials object.

You do this by simply passing in the database name and your credentials object as shown in the code below.

After that your connection to your firestore will be using the firestore security rules set for your database and the authenticated user.

Creating a firestore grpc connection using a Oauth2 Credentials object

And just like that there is no need to expose your Google service account information anymore. The only thing you need to expose is your API key and database name.

And that was all folks!

Hope this will help out some lost developers like I was when stumbling upon this issue.

The code in the snippets are not 100% tested so if they actually cause some issues let me know in the comments and I will improve them to assure completeness.

For a full flow sample check the code below.